>We recently came across a suspicious NPM package called `buildrunner-dev`. The package is deceptively simple, containing a package.json with a postinstall hook pointed at an `init.js` file, but that’s where things got interesting.

>The postinstall script was triggered upon package installation and dropped a batch file called `packageloader.bat`. At first glance it looked like pure noise due to thousands of characters that appear to be gibberish; nature-themed REM comments, and variable names that read like a cat walked across someone’s keyboard. But as we started peeling back layer after layer of obfuscation, we uncovered a remarkably well-engineered attack chain that hides its true payloads inside the RGB pixel values of PNG images hosted on a free image service.